Combining Termination Criteria by Isolating Deletion

Combining Termination Criteria by Isolating Deletion Dénes Bisztray, Reiko Heckel Department of Automation and Applied Informatics, Budapest University of Technology and Economics [email protected] Department of Computer Science, University of Leicester [email protected]

Abstract. The functional behaviour of a graph transformation system is a crucial property in several application domains including model transformations and visual language engineering. Termination is one of the ingredients of functional behaviour and thus equally important. However, the termination of graph transformation systems is generally undecidable. Hence, most of the published termination criteria focus on specific classes of graph transformations. Unfortunately graph transformations with lots of production rules usually do not fit into one of these classes. It would be advantageous if different sets of the production rules in the graph transformation system could be verified using different criteria. This paper addresses this problem by providing structural conditions on the rules enabling such combination of termination criteria. Key words: Termination, Graph Transformations, Model Transformations

1

Introduction

Termination is a fundamental property of graph transformation systems implementing functions over sets of graphs, such as in the case of model transformations. A graph transformation system is terminating if all its transformation sequences are finite. Proving that a system has this property for all graphs in the input set is a difficult task, undecidable in general [Plu95]. The work presented here was inspired by the Activity Diagram to CSP transformation published in [VAB+ 08,DB08]. In [EEdL+ 05], the rules of a graph transformation system are sorted into layers. These layers are either deletion or nondeletion layers. The conditions for forming the deletion layers express that the last creation of a node of a certain type should precede the first deletion of a node with the same type. The nondeletion layer conditions ensure that if an element of a specific type occurs in the LHS of a rule, then all elements of the same type were already created in previous layers [EEdL+ 05]. However, the transformation builds a CSP abstract syntax tree from the Activity Diagram:

2

Dénes Bisztray, Reiko Heckel

the various node types in CSP (e.g Process or Event) are created by almost every rule. Hence, they cannot be sorted into creation layers (i.e. almost all rules would be in one big layer) and thus the criteria introduced in [EEdL+ 05] cannot be applied. Although the termination criteria from [LPE07] is reasonably generic, one needs to investigate every combination of the rules pairwise. The transformation contains 18 rules with around 8-14 elements contained in the LHS rule graphs and 10-18 elements in the RHS rule graphs. Checking all the possible combinations by hand without making errors is unlikely. A general termination criterion used as a technique in manual proofs is the following. A graph transformation system (T G, P ) consisting of a type graph T G and a set of typed graph productions P is terminating if its transformations are monotonic with respect to a well-founded partial order over the instances of T G [Bog95,BKPPT05]. This ordering reflects the state of transformation, i.e. a b if b is closer to completion. To formalise this notion of closeness to completion, a metric M can be defined that assigns a natural number to every instance of T G. Then, M(a) > M(b) implies a b. Unfortunately, this technique is hard to apply in practice since defining the partial order or suitable metric is a task which requires much ingenuity and experience. Recent research has focused on the transformation of this general criterion into a more applicable form. By now there are criteria of termination for specific classes of graph transformation systems [EEdL+ 05,LPE07]. When transformations are complex, it is less likely that they fit any single one of these classes. Indeed, it would be advantageous if they could be combined by proving termination of subsets of rules according to specific criteria and combining the resulting terminating subsets into a provably terminating global system. This is the approach of the present paper. The idea is based on the observation that in complex transformations, there are distinct rule sets working on different parts of the host graph. While these rules are applied nondeterministically, i.e., the execution of rules from different sets is often interleaved, their effect is related. Thus, termination of such rule set is independent of that of other rule sets provided that the sets are suitably isolated from one another. This notation of isolation is based on the absence and acyclicity of certain dependency relations between rules. We approach the problem in two steps. First, termination of transformations consisting of only non-deleting rules with self-disabling negative conditions is shown. Where existing approaches are using layered rule sets [EEdL+ 05], we analyse a given unstructured set for produce-enable dependencies, i.e., sequential dependencies between rules that could lead to the creation of a match for one rule by another through creation of elements. If this relation is acyclic, the system terminates because self-disabling rules can only be applied once at each match and only finitely many matches can be created. At the next stage, the result is extended to GTSs with general (possibly deleting) rules that preserve the start graph. Assuming that the effect of the deletion can be isolated into rule groups, we extend the dependency relation to self-contained rule groups. Termination follows if the rule groups are terminating

Combining Termination Criteria by Isolating Deletion

3

by themselves and the dependency relation is acyclic. The termination of the rule groups themselves can be established using arbitrary termination criteria. The outline of the paper is as follows. Section 2 presents the required basic definitions. In Section 3 the termination criterion for non-deleting graph transformation systems is established. In Section 4 the criterion is extended for deleting transformations. Section 5 presents an application of the approach to a complex transformation of UML activity diagram into CSP. We conclude the paper with Section 6.

2

Basic Definitions

In this section we collect some fundamental definitions from existing literature. We use the double-pushout approach to typed attributed graph transformation with negative application conditions according to [EEPT06]. In the DPO approach, a graph K is used. K is the common interface of L and R, i.e. their intersection. Hence, a rule is given by a span p : L ← K → R. Definition 1. (Graph Production [CMR+ 97]) A (typed) graph production l

r

p = (L ← −K − → R) consists of (typed) graphs L,K,R, called the left-hand side, gluing graph (or interface graph) and the right-hand side respectively, and two injective (typed) graph morphisms l and r. A graph production is nondeleting if the morphism l : K → L is the identity. Definition 2. (Graph Transformation [CMR+ 97]) Given a (typed) graph l

r

production p = (L ← − K − → R) and a (typed) graph G with a (typed) graph morphism m : L → G, called the match, a direct (typed) graph transformation p,m G ⇒ H from G to a (typed) graph H is given by the following double-pushout (DPO) diagram, where (1) and (2) are pushouts in the category Graphs (or GraphsTG respectively): Lo

l

K

r

/R

m

(1)

k

(2)

n

Go

f

D

g

/H

A sequence G0 ⇒ G1 ⇒ ... ⇒ Gn of direct (typed) graph transformations is ∗ called a (typed) graph transformation and is denoted by G0 ⇒ Gn . Definition 3. (Negative Application Condition [EEPT06]) A negative application condition or N AC(n) on L is an arbitrary morphism n : L → N . A morphism g : L → G satisfies N AC(n) on L i.e. g |= N AC(n) if and only if does not exists and injective q : N → G such that q ◦ n = g. L

n

m

X q

~ G

/N

4


A set of NACs on L is denoted by N ACL = {N AC(ni )|i ∈ I}. A morphism g : L → G satisfies N ACL if and only if g satisfies all single NACs on L i.e. g |= N AC(ni )∀i ∈ I. Definition 4. (GT System, Graph Grammar [CMR+ 97]) A typed graph transformation system GT S = (T G, P ) consists of a type graph T G and a set of typed graph productions P . We may use the abbreviation GT system for typed graph transformation system. A fundamental notion in the context of termination is that of essential match. It deals with the possible application of a production to essentially the same match into different graphs in a sequence. Definition 5. (Tracking Morphism and Essential Match [EEdL+ 05]) Given a (typed) graph transformation system with injective matches and start graph l

r

G, a nondeleting production p : (L ← − K − → R) with an injective morphism r : L → R and injective match m : L → G leading to a direct transformap,m tion G ⇒ H via (p, m) defined by the pushout (1) of r and m. The morphism p,m d : G → H is called tracking morphism of G ⇒ H: L

r

/R

m

(1)

m∗

G

d

/H

L {{ { { {m0 m1 }{{ G0 d1 / H1

Since both r and m are injective, the pushout properties of (1) imply that also d and m∗ are injective. ∗ Given a transformation G0 ⇒ H1 , i.e. a sequence of direct transformations with an induced injective tracking morphism d1 : G0 → H1 , a match m1 : L → H1 of L in H1 has an essential match m0 : L → G0 of L in G0 if we have d1 ◦ m0 = m1 . Note that because of d1 is injective, there is at most one essential match m0 for m1 . The notions of essential match and tracking morphism are relevant for nondeleting rules only, because a deleting rule consumes elements from the match and thus cannot be applied on the same match again. A non-deleting rule is self-disabling if it has a NAC that prohibits the existence of the pattern that the rule creates. Definition 6. (Self-Disabling Production) Given a nondeleting production l

r

p : (L ← −K − → R) with an injective morphism r : L → R and NAC n : L → N . The negative application condition N AC(n) is self-disabling if there is an injective n0 : N → R such that n0 ◦ n = r. Production p is self-disabling if it has a self-disabling NAC. The following lemma establishes that a self-disabling production cannot be applied on the same match again, and extends it to graph transformations that consists of self-disabling rules only.


5

Lemma 1. (Essential Match Applicability [EEdL+ 05] ) In every transformation starting from G0 of a nondeleting (typed) graph transformation system GG = (T G, P ) with injective matches and self-disabling productions, each production p ∈ P with r : L → R can be applied at most once with the same essential match m0 : L → G0 where m0 |= N AC(n).

3

Termination of Nondeleting Transformations

In this section we present a termination criterion for nondeleting graph transformations. We define a precedence on production rules based on the produce-enable sequential dependency. The transitive closure of the precedence relation gives us the possible application order of production rules. If the transitive closure of the precedence relation is irreflexive, the GTS is terminating. Figure 1 shows two simple rules responsible for creating CSP process assignments. Node P A represents a process assignment with two P nodes representing processes. The symbol n is an attribute of E and P nodes; a and b denote different constant values matched in the host graph. RuleA shown in Figure 1(a) transforms an activity edge to an empty process a declaration by creating nodes P A,P with edge → for every E node identified by the n attribute. RuleB creates a process definition from an action by connecting p an edge and node → P to a P A node for every interconnected E and A node instance as shown in Figure 1(b).

(a) RuleA

(b) RuleB Fig. 1. Rsample = {RuleA , RuleB }

6


The criteria introduced in [EEdL+ 05] cannot be applied. The rules can be sorted into one or two layers. If the rules are in one layer, this only layer does not satisfy the deletion layer conditions for trivial reasons: RuleA does not decrease the number of graph items since it is nondeleting. When sorted into two layers (RuleA in layer 1 and RuleB in layer 2), layer 2 does not satisfy the nondeletion layer conditions: elements of types P and P A can be found in the LHS of RuleB , but all elements of the same type were not already created in this or previous layer. In spite of missing layers, a de-facto rule application precedence can be oba served: RuleB is only applied once RuleA created the necessary P A → P nodes to a particular E node. Rules are applied nondeterministically, but still, on a certain match RuleB follows RuleA . This notion of precedence can be formalised as a produce-enable dependency: production rules p1 , p2 are produce-enable dependent if p1 produces some objects that enable the application of p2 . There are other types of sequential dependencies, besides produce-enable. In delete - forbid dependency, one rule application deletes a graph object which is in the match of another rule application. The change - use attribute dependency means that one rule application changes attributes being in the match of another rule application. In the produce - forbid dependency, one rule application generates graph objects in a way that a graph structure would occur which is prohibited by a NAC of another rule application [AGG07]. Since both delete - forbid and change - use attribute dependencies involve deletion (i.e. attribute change involves deletion of attribute edges from graph to data nodes), they would not occur in nondeleting transformations. Even though it is possible to have produce - forbid dependent rule pairs in the presence of NACs, they will not create new matches. As we are interested in connections where new matches may be created, only the produce-enable dependency remains. Definition 7. (Produce-Enable Dependency) Given a graph transformation system GT S = (T G, P ), rules p1 , p2 with NACs N ACp1 , N ACp2 are in pe a produce-enable dependency, denoted by p1 → p2 if there exist two direct graph p1 ,m1 p2 ,m2 transformations t1 : G ⇒ H1 , t2 : H1 ⇒ H2 such that 1. 6 ∃h21 : L2 → D1 : e1 ◦ h21 = m2 . 2. ∃h12 : R1 → D2 : d2 ◦ h12 = m01 . NO 1

NO 2 n2

n1

L1 o Go

/ R1

K1

d1

y D1

h21 \ e1

L2 BB | BB | BB || || m2 m01 BB! | }| / H1 o d2

o

/ R2

K1 h12

% D2

e2

/ H2

Condition 1 expresses that p2 is dependent on p1 : certain elements of L2 that are not gluing items in p1 and not present in the host graph beforehand.


7

Condition 2 ensures that the items created by p1 are not deleted by p2 (i.e. they are gluing items). Condition 2 is always satisfied for non-deleting rules—however, the definition is required for general rules as detailed in Section 4. The produce-enable relation is a binary relation on production rules. Since two different rules may be mutually produce-enable dependent on each other pe pe (p1 → p2 and p2 → p1 for p1 6= p2 ), it not in general symmetric or antisymmetric. pe∗ pe If the transitive closure → of → is irreflexive, no production rule is produceenable dependent directly or indirectly on itself. Hence rules would not be able to produce corresponding matches for each other indefinitely, resulting in infinite rule application sequence. Hence the system must be terminating. Theorem 1. (Termination of Nondeleting GTS) Given a graph transformation system GT S = (T G, P ) such that all rules are nondeleting and have self-disabling NACs. If the start graph G0 and the set of rules P are finite and the transitive closure of the produce-enable dependency is irreflexive, the GT S is terminating. Proof. Termination is proven by contradiction, hence we assume the existence of an infinite rule application sequence σinf . Since P contains m rules, and σinf is an infinite application sequence, by the Pigeonhole principle, all rule applications cannot be distinct. Thus, there is set of rules {ri , ..., rj } ∈ P that are applied infinitely many times, where 0 < i, j ≤ m. (We do not assume in general that all rules are in one cycle.) ri For each direct derivation Gi =⇒ Gi+1 with injective matches there is an injective morphism di : Gi → Gi+1 because ri is nondeleting. Each match mi+1 : Li → Gi+1 has an essential match mi : Li → Gi with di ◦ mi = mi+1 . From Lemma 1 we conclude that we have at most one application of the rule ri on the essential match mi . Thus the rules in the set {ri , ...rj } create matches for each other. This means that there is at least one cycle where ri creates a match for ri+1 , then ri+1 creates a match for ri+2 , etc, and finally rj creates a match for ri . This means pe pe pe pe that ri → ri+1 → ... → rj → ri . However, this means that the transitive closure pe∗ relation is not irreflexive, i.e. ri → ri , which contradicts our assumptions. Thus, an infinite sequence of rule applications cannot exist.

4

Termination with GTS Components

Unfortunately Theorem 1 does not carry over to GTSs with general rules. Although deleting rules cannot be applied twice on the same match, a rule may delete elements contained in the NAC of another rule, thus enabling it again on the same essential match and resulting in a possibly endless cycle. Thus we extend the criterion presented in Section 3 to GTSs with deleting rules. We assume that the start graph is kept intact and thus the effect of the deleting rules can be isolated into subsets of rules, called components. Then, we show that if the termination of all individual components can be proven, the entire GTS is

8


terminating. The main advantage of this approach is that the criteria used to prove the termination of a component can be chosen freely.

Definition 8. (Protective Transformation) A graph transformation system GT S = (T G, P ) with NACs is protective if its rules never delete an element of any given start graph, that is, for any T G-typed start graph G0 , all transformations G0 =⇒∗ H preserves G0 . It is easy to mistake a protective transformation to be nondeleting. The difference is that while in nondeleting transformations no deletion is allowed at all (i.e. all rules are nondeleting), in protective transformations the rules may delete objects created by the transformation. This condition does not present a serious limitation for exogenous transformations, such as PIM to PSM transformations and others, generating one model from another one while keeping the source models intact. Also, all one-way transformations generated from bidirectional rules in triple graph grammars [Sch94] satisfy this criterion. For a motivating example, we add two rules to Rsample : RuleD1 and RuleD2 as shown in Figure 2. Both NACs are connected to the LHSs of the respective rules. The rules are converting a 1-to-n junction to a binary tree bottom up. First, an arbitrary E -node is matched creating the lowest element of the tree. Then, the tree is built by adding the elements one-by-one. However, RuleD2 is deleting: as shown in Figure 2(b), the p edge from the 4:PA node to the 6:C node is deleted. Hence Theorem 1 does not apply directly to Rsample because it contains deleting rules. The strategy to deal with the deleting rules is to isolate them. Rsample can be sorted into subsets responsible for transforming certain elements. For instance, RuleD1 and RuleD2 will not interfere with the elements matched by RuleB . This means that such a component is self-contained: deletion is contained within that group; one rule deletes only the product of other rules in the same group. Two rules will be in one such component if they are either produce-delete dependent, or delete-enable dependent.

Definition 9. (Delete-Enable Dependency) Given a graph transformation system GT S = (T G, P ), rules p1 , p2 with N ACp1 , N ACp2 are in a delete-enable de

dependency, denoted by p1 → p2 if there exist two direct transformations t1 : p1 ,m1 p2 ,m2 G ⇒ H1 , t2 : H1 ⇒ H2 such that for all NAC n2 ∈ N ACp2 there exists an injective e : N2 → G, but no injective e0 : N2 → D1 with d1 ◦ e0 = e. That means, p1 deletes elements that are part of an occurrence of the negative pattern N2 prohibiting the application of rule p2 at match e ◦ n2 .


(a) RuleD1

(b) RuleD2 Fig. 2. Rules RuleD1 and RuleD2

9

10


NO 1

NO 2

n1

n2

e

L1 o

/ R1

K1 e0

Go

d1

v D1

e1

o

L2 BB BB || | BB | || m m01 BB! }|| 2 / H1 o

/ R2

K1 D2

d2

e2

/ H2

Definition 10. (Produce-Delete Dependency) Given a graph transformation system GT S = (T G, P ), rules p1 , p2 are in a produce-delete dependency, depd

p1 ,m1

noted by p1 → p2 if there exist two direct graph transformations t1 : G ⇒ H1 , p2 ,m2 t2 : H1 ⇒ H2 with neither h12 : R1 → D2 such that d2 ◦ h12 = m01 nor h21 : L2 → D1 such that e1 ◦ h21 = m2 . NO 1

NO 2

n1

n2

L1 o

K1

Go

y D1

d1

/ R1 h21 e1

L2 BB BB || | BB | || m m01 BB! }|| 2 / H1 o

o

/ R2

K1 h12

d2

% D2

e2

/ H2

That means, p2 deletes elements that were created by p1 and enabled the application of p2 . Definition 11. (GTS Component) Given a typed graph transformation system GT S = (T G, P ), a subset Pi ⊂ P is a component (of GT S) if, when p ∈ Pi is produce-delete dependent or delete-enable dependent on q ∈ P , then q ∈ Pi . From a different perspective, this means that deletion only happens within the subgraph that was created by the rules of the component. If p is nondeleting and there is no q ∈ P such that q is sequentially dependent, but not produceenable dependent on p, then it forms its own component, i.e. Pi = {p}. Let us show the formation of components in our example. Consider the rules RuleA , RuleB , RuleD1 and RuleD2 in Rsample . The dependency matrix of these rules is shown in the table below: RuleA RuleB

RuleA RuleB RuleD1 RuleD2 pe pe no → → no no no no no pd

RuleD1

no

no

no

→

RuleD2

no

no

no

→

pd

As the P node created by RuleA may trigger an application of RuleB or RuleD1 , RuleB and RuleD1 are produce-enable dependent on RuleA . Since they


11

are not delete-enable or produce-delete dependent on each other, according to Definition 11 there is no reason to put them in the same component. Thus they will be in different components. The dependency between RuleD1 and RuleD2 is more interesting: they seem to be produce-enable dependent, as RuleD2 matches the C → P nodes created by RuleD1 . However, according to Condition 2 in Definition 7 the connected C and P nodes created by RuleD1 should be gluing items in RuleD2 . Apparently they are not, because the p edge between nodes 4:PA and 6:C is deleted. This is exactly why Condition 2 is necessary: the deleting rule has to be grouped with the rules it deletes from. Thus we have three components: {RuleA }, {RuleB }, {RuleD1 , RuleD2 } It is important to see that components are not layers according to [EEdL+ 05]. The most apparent difference is the rule application mechanism. Layers follow each other sequentially: the transition to layer n + 1 occurs after all rules are applied to all possible matches in layer n. Rule application in a graph transformation system with components is ’normal’: rules are applied nondeterministically. The application of rules between different components can hence interleave. For instance, after an application of RuleA and RuleD1 there is no restriction to RuleD2 . We can apply RuleA or RuleD1 again (on a different match obviously). The second difference between layers and components is their meaning. Layers are creation and deletion layers dedicated to rules creating or deleting a specific type. Components on the other hand cover rules that are sequentially dependent on each other and thus work on the same subgraphs. Definition 12. (Non-Interfering Rule System) Given a graph transformation system GT S = (T G, P ). The subsets of rules R1 , R2 , . . . Rn ⊂ P form a non-interfering rule system if they are pairwise disjoint, their union equals P and each Ri is a component of GT S. It is important to see the difference between a simple rule set, a rule component, and a non-interfering rule system. Given a graph transformation system GT S = (T G, P ), a simple rule set R is trivially an arbitrary set of rules R ⊆ P . However, if we have several rule sets Ri that are pairwise disjoint and their union gives P it is not a non-interfering rule system. A non-interfering rule system consists of such rule sets that are rule components as well, i.e. produce-delete and delete-enable rules grouped together. Thus a rule-system can be interfering in two ways: (i) the rule sets are not components, or (ii) the components are not pairwise disjoint or their union does not equal P . In order to prove termination, we lift the definition of produce-enable dependency (Def. 7) to incorporate components. Definition 13. (PE Dependency for Components) Components P and R are produce-enable dependent, if there exist rules r ∈ R and p ∈ P such that pe r → p.

12


In the following we extend Theorem 1 to GTS components. The idea is that arbitrary termination criteria can be used to prove the termination of the individual components. Once their termination is ascertained, we use the transitive closure of the precedence relation to show that they would not produce corresponding matches for each other infinitely. In order to establish Theorem 2 it is important to show that if p enables the application of q, they are either in one component, or they are produce-enable dependent. Lemma 2. (Enabling Rules) Given a graph transformation system GT S = pe (T G, P ) with rules p, q ∈ P . If p creates a match for q, then either p → q or there exists a component Ri of GT S such that p, q ∈ Ri . Proof. A match can be created by p for q if q is either produce-enable, producedelete, or delete-enable dependent on p. Any other dependencies do not create new matches for q, but prevent the application of p after q. Thus, the lemma follows from Definition 11. Theorem 2. (Termination of GTSs with With Non-Interfering Rule System) Given a protective graph transformation system GT S = (T G, P ) with non-interfering rule system P = R1 , R2 , . . . Rn such that all rules have a selfdisabling NAC (Def. 6). If the start graph G0 is finite, the transitive closure relation of the produce-enable dependency on components is irreflexive and the components Ri terminate individually, then GT S is terminating. Proof. Termination is proven by contradiction, hence we assume the existence of an infinite rule application sequence σinf . By the termination of each component σinf can be decomposed into a sequence of finite sequences σ1 σ2 . . . with each σi being a maximal sequence of transformations using rules from a single component only. Since the sum of rule applications of σ1 σ2 . . . is finite, and σinf is an infinite application sequence, by the Pigeonhole principle, all rule applications cannot be distinct. Thus, there is a set of m ≤ n rules {ri , . . . , rj } ∈ P that are applied infinitely many times, where 0 < i, j ≤ m. (We do not assume in general that all rules are in one cycle.) The rules {ri , . . . , rj } ∈ P cannot be in one component as their termination was assumed. According to Lemma 2, a rule rk ∈ Rk , (k ∈ [n]) creates matches for rl ∈ Rl (l ∈ [n]) only if they are produce-enable dependent or belong to the same component. Thus, the individual rules {ri , . . . , rj } ∈ P are nondeleting and form comri ponents themselves. For each direct derivation Gi =⇒ Gi+1 with injective matches there is an injective morphism di : Gi → Gi+1 because ri is nondeleting. Each match mi+1 : Li → Gi+1 has an essential match mi : Li → Gi with di ◦ mi = mi+1 . From Lemma 1 we conclude that we have at most one application of rule ri on essential match mi . Thus the rules in set {ri , . . . , rj } create matches for each other, i.e., there pe pe pe pe is at least one cycle, where ri → ri+1 → . . . → rj → ri . However, this means


13

pe∗

that the transitive closure is not irreflexive, i.e. ri → ri , which contradicts our assumptions. Thus, an infinite rule application sequence does not exist.

5

Application in Practice

In order to apply the termination criteria established in Theorems 1 and 2, three tasks need to be accomplished: 1. Determination of the sequential dependencies between the rules. 2. The definition of the rule components. 3. Search for the directed cycles within the sequential dependencies. At the moment, only the first task is automated. The Attributed Graph Grammar System (AGG) [AGG07] provides verification facilities for graph transformations. Besides critical pair analysis, AGG can generate all dependencies of rule applications. It is important to note that AGG finds all possible dependency types between rules, so we need to classify and select produce-enable, producedelete and delete-enable dependencies for our purposes. We used the theoretical results to prove the termination of the Activity Diagram to CSP transformation [VAB+ 08,DB08]. The transformation which provides a denotational semantic mapping for UML Activity Diagrams [OMG06] into Communicating Sequential Processes (CSP) [Hoa85] is denoted by GT Ssmc with type graph T Groot and set of rules Psmc (listed in Figure 4). The individual rule design of the semantic mapping was inspired by triple graph grammars, although TGGs were never used for implementation. The creation of target elements, in combination with negative application conditions on the target model, allows us to retain the input model and restrict ourselves to protective rules, preserving the input model. These two properties are important for Theorem 1. As mentioned in Section 1 existing termination criteria were insufficient for our case. The basic elements of CSP are processes. A process is the behaviour pattern of an object with an alphabet of a limited set of events. Processes are defined using recursive process equations with guarded expressions. The syntax of the process equations is the following. P ::= event → P | P Q | P || Q | P \ a | SKIP | ST OP The prefix a → P performs action a and then behaves like P . The process P Q represents external choice between processes P and Q. The process P || Q behaves as P and Q engaged in a lock-step synchronisation. Hiding P \ a behaves like P except that all occurrences of event a are hidden. SKIP represents successful termination, ST OP is a deadlock [Hoa85]. Figure 3 shows a generic outline of the abstract syntax tree of CSP: the root node is a Csp-Container instance connected to process declarations. A process declaration is a process assignment that is identified by a process instance contained via the processAssignment aggregation. Further depth is given to the

14


Fig. 3. The Structure of the CSP graph

tree by the connected behaviour. We call these connected behaviour-trees process expression subtrees, PE-trees for short. The transformation builds the abstract syntax tree of CSP expressions top-down: the elements closer to the root are created first, then the branches. The process declarations are created first from control flow edges of the activity diagram. Then, the empty declarations are completed with behaviour in terms of PE-trees. One PE-subtree corresponds to one activity element, i.e. decision node, forknode, action. The rule-design reflects this: Psmc is sorted into named subsets Pi ⊂ Psmc , each responsible for transforming a certain element of the activity diagram. It is important to observe that one rule group does not interfere with the PE-tree of another group. For instance, the rules responsible for building the subtree associated with a decision node will not modify or create a subtree that describes the behaviour of a join node. The behaviour transformation follows a delocated design. First, all the edges are transformed to the corresponding process declarations by the BhEdge rule which is similar to RuleA in Figure 1(a). Then, the various nodes fill the empty process definitions. The BhAction rule, similar to RuleB in Figure 1(b), transforms an action node to a prefix in CSP. BhInit creates the root process, BhFinal fills the declaration with a SKIP process. RuleD1 and RuleD2 introduced in Figure 2 are the skeletons for the BhDecision1,BhDecision2, BhFork1,BhFork2 and BhForkNoJoin1,BhForkNoJoin2 rule groups. While the the D nodes are decision nodes and the C nodes are choices in the decision group, in the fork groups they are fork nodes and parallel compositions respectively. The BhJoin synchronises and the BhMerge merges the multiple flows back to one process.


15

Using AGG, we managed to generate the dependencies between the rules used to specify the semantic mapping. Unfortunately this operation takes long hours and cannot be ran in one go. Because of Java memory management characteristics, AGG had to be restarted repeatedly before complicated rule pairs. With the dependencies at hand, we determined the minimal rule components and PE-dependency graph as shown in Figure 4.

Fig. 4. Dependency graph based on the AGG dependency check

According to Figure 4, there are no directed cycles in the PE-dependency graph. Furthermore, the rules form a non-interfering rule system and all rules have self-disabling NACs. Thus, after showing the termination of the three rule components using [LPE07], we concluded that the UML to CSP transformation system, i.e. GT Ssmc = (Psmc , T Groot ) with a finite start graph G0 and injective matches is terminating.

6

Conclusions

In this paper we addressed the termination problem for graph transformations. A generic termination criterion was established for nondeleting graph transformations. To enable the combination of various termination criteria, structural conditions were provided on the rules of a graph transformations system. To apply the theoretical results in practice, AGG was employed to check minimal dependencies in the rules of graph transformation systems. Future work includes to investigate the possibilities of designing rule sets that are terminating in the first place, i.e. turning the termination criteria into a design method.

References [AGG07]

AGG - Attributed Graph Grammar System Environment. http://tfs. cs.tu-berlin.de/agg, 2007.

16


[BKPPT05] Paolo Bottoni, Manuel Koch, Francesco Parisi-Presicce, and Gabriele Taentzer. Termination of high-level replacement units with application to model transformation. Electronic Notes Theoretical Computer Science, 127(4):71–86, 2005. [Bog95] Mirna Bognar. A survey of abstract rewriting. Master’s thesis, VU University Amsterdam, 1995. [CMR+ 97] Andrea Corradini, Ugo Montanari, Francesca Rossi, Hartmut Ehrig, Reiko Heckel, and Michael L¨ owe. Algebraic approaches to graph transformation - part i: Basic concepts and double pushout approach. In Handbook of Graph Grammars, pages 163–246, 1997. [DB08] Hartmut Ehrig Dénes Bisztray, Reiko Heckel. Verification of architectural refactoring rules. Technical report, Department of Computer Science, University of Leicester, 2008. http://www.cs.le.ac.uk/people/dab24/ refactoring-techrep.pdf. [EEdL+ 05] Hartmut Ehrig, Karsten Ehrig, Juan de Lara, Gabriele Taentzer, D´ aniel Varr´ o, and Szilvia Varr´ o-Gyapay. Termination criteria for model transformation. In Maura Cerioli, editor, Proc. FASE 2005: Internation Conference on Fundamental Approaches to Software Engineering, volume 3442 of LNCS, pages 49–63, Edinburgh, UK,, April 2005. Springer. [EEPT06] Hartmut Ehrig, Karsten Ehrig, Ulrike Prange, and Gabriele Taentzer. Fundamentals of Algebraic Graph Transformation (Monographs in Theoretical Computer Science). An EATCS Series. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006. [Hoa85] Charles Antony Richard Hoare. Communicating Sequential Processes. Prentice Hall International Series in Computer Science. Prentice Hall, April 1985. [LPE07] Tihamér Levendovszky, Ulrike Prange, and Hartmut Ehrig. Termination criteria for dpo transformations with injective matches. Electron. Notes Theor. Comput. Sci., 175(4):87–100, 2007. [OMG06] OMG. Unified Modeling Language, version 2.1.1, 2006. http://www.omg. org/technology/documents/formal/uml.htm. [Plu95] Detlef Plump. On termination of graph rewriting. In Graph-Theoretic Concepts in Computer Science, pages 88–100, 1995. [Sch94] Andy Sch¨ urr. Specification of graph translators with triple graph grammars. In Tinhofer, editor, Proc. WG’94 Int. Workshop on Graph-Theoretic Concepts in Computer Science, number 903, pages 151–163. SpringerVerlag, 1994. [VAB+ 08] D´ aniel Varr´ o, M´ ark Asztalos, Dénes Bisztray, Artur Boronat, Duc-Hanh Dang, Rubino Geiß, Joel Greenyer, Pieter Gorp, Ole Kniemeyer, Anantha Narayanan, Edgars Rencis, and Erhard Weinell. Transformation of uml models to csp: A case study for graph transformation tools. pages 540–565, 2008.